On Sep 12, 2008, at 1:16 PM, Stuart Henderson wrote:
Wait, how do you know someone is typing a password inside the session
and not just writing a text file or typing arbitrary commands?
e.g. when eve's machine that's hijacking the network packets picks
up an outgoing SSH connection.
I'm not going to say "It's impossible." It's not. How about "really
highly unlikely" that Eve will pick up enough useful signal to decrypt
which letters are being typed by the user. I know that not everyone
uses ssh keys, or chains authentication back to themselves.. but..
c'mon, be realistic.
Eve will hard pressed to get enough information from the SSH stream.
Not due to the express inclusion of padding, but because there's never
going to be enough in a capture to create context to decrypt from.
Frankly, concern over someone sniffing and discovering your password
over captured ssh traffic pattern analysis is much less likely than
someone shoulder surfing your system password first, or your ssh key
passphrase.
Attacking encryption is hard. You pretty much have to have shortcuts
(such as all 32767 system keys per arch after the Debian OpenSSL
fiasco) to really mount an effective attack against ssh.
Some output from "tcpdump -X -n -ttt -e -s 0 -i en1 port ssh", I'm
10.1.10.48, remote system is 208.69.42.188. I've provided plaintext
and full packet captures of each keystroke.
SSH dump of "ls" to the remote system:
5. 718164 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4
(0x0800), length 114: 10.1.10.48.58588 > 208.69.42.188.22: P
576:624(48) ack 6657 win 65535 <nop,nop,timestamp 943744645 2291943408>
0x0000: 4510 0064 9b34 0000 4006 d01d 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 29d1 b571 7b5e .E*.......)..q{^
0x0020: 8018 ffff c533 0000 0101 080a 3840 6685 [EMAIL PROTECTED]
0x0030: 889c 47f0 a240 4a27 c9b7 2d8f f1a2 1949 [EMAIL
PROTECTED]'..-....I
0x0040: b4f6 c20f 6974 51d2 7688 dbde cc36 fbfb ....itQ.v....6..
0x0050: 269a 9b49 bd92 4fef 79a7 52a0 55a3 8847 &..I..O.y.R.U..G
0x0060: 189c 609f ..`.
038923 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 6657:6705(48) ack
624 win 17376 <nop,nop,timestamp 2291943419 943744645>
0x0000: 4520 0064 fc32 4000 3506 3a0f d045 2abc [EMAIL
PROTECTED]:..E*.
0x0010: 0a01 0a30 0016 e4dc b571 7b5e c4e2 2a01 ...0.....q{^..*.
0x0020: 8018 43e0 885d 0000 0101 080a 889c 47fb ..C..]........G.
0x0030: 3840 6685 276e 2e15 c85b 3d7d f458 4173 [EMAIL
PROTECTED]'n...[=}.XAs
0x0040: 1b7d 4254 965b 0698 5ed2 6620 f97b 73a8 .}BT.[..^.f..{s.
0x0050: 9a2c 97bb 6ddb af7a 4fde fd9c 5c10 3dd6 .,..m..zO...\.=.
0x0060: b5e9 7c82 ..|.
000040 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 6705 win 65535
<nop,nop,timestamp 943744645 2291943419>
0x0000: 4510 0034 1a15 0000 4006 516d 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2a01 b571 7b8e .E*.......*..q{.
0x0020: 8010 ffff f356 0000 0101 080a 3840 6685 [EMAIL PROTECTED]
0x0030: 889c 47fb ..G.
039783 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 114: 10.1.10.48.58588 > 208.69.42.188.22: P 624:672(48) ack
6705 win 65535 <nop,nop,timestamp 943744645 2291943419>
0x0000: 4510 0064 e611 0000 4006 8540 0a01 0a30 [EMAIL PROTECTED]@...0
0x0010: d045 2abc e4dc 0016 c4e2 2a01 b571 7b8e .E*.......*..q{.
0x0020: 8018 ffff a9e3 0000 0101 080a 3840 6685 [EMAIL PROTECTED]
0x0030: 889c 47fb a3df 1651 1ffb cce9 3be6 7313 ..G....Q....;.s.
0x0040: a07f 31b7 93e8 67f7 0c65 4b68 547e 3be7 ..1...g..eKhT~;.
0x0050: b668 aaaa 909f 95b6 94ba 7186 f43b af3a .h........q..;.:
0x0060: 5a25 b19b Z%..
033901 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 6705:6753(48) ack
672 win 17376 <nop,nop,timestamp 2291943419 943744645>
0x0000: 4520 0064 8af0 4000 3506 ab51 d045 2abc [EMAIL PROTECTED]
0x0010: 0a01 0a30 0016 e4dc b571 7b8e c4e2 2a31 ...0.....q{...*1
0x0020: 8018 43e0 2458 0000 0101 080a 889c 47fb ..C.$X........G.
0x0030: 3840 6685 c50d 5806 df91 39f5 7f91 35c4 [EMAIL PROTECTED]
0x0040: 6531 9a35 7fab e29f 25c9 cdb6 c9c3 fbd9 e1.5....%.......
0x0050: c810 824d 0692 e3b7 7ada 903e 2151 c299 ...M....z..>!Q..
0x0060: 8514 db34 ...4
000041 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 6753 win 65535
<nop,nop,timestamp 943744646 2291943419>
0x0000: 4510 0034 7776 0000 4006 f40b 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2a31 b571 7bbe .E*.......*1.q{.
0x0020: 8010 ffff f2f5 0000 0101 080a 3840 6686 [EMAIL PROTECTED]
0x0030: 889c 47fb ..G.
CTRL-U:
57. 039425 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4
(0x0800), length 114: 10.1.10.48.58588 > 208.69.42.188.22: P
672:720(48) ack 6753 win 65535 <nop,nop,timestamp 943745216 2291943419>
0x0000: 4510 0064 437f 0000 4006 27d3 0a01 0a30 [EMAIL
PROTECTED]'....0
0x0010: d045 2abc e4dc 0016 c4e2 2a31 b571 7bbe .E*.......*1.q{.
0x0020: 8018 ffff 972e 0000 0101 080a 3840 68c0 [EMAIL PROTECTED]
0x0030: 889c 47fb 1ff7 ab59 41bd 433c 9253 d479 ..G....YA.C<.S.y
0x0040: 8d30 7835 4690 8d3b 800f 2217 2d80 be9d .0x5F..;..".-...
0x0050: 9f2b 53af 2a0c a2e8 5efa d1fc 73aa 60a6 .+S.*...^...s.`.
0x0060: 7143 046c qC.l
036132 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 6753:6801(48) ack
720 win 17376 <nop,nop,timestamp 2291943533 943745216>
0x0000: 4520 0064 5a6e 4000 3506 dbd3 d045 2abc [EMAIL PROTECTED]
0x0010: 0a01 0a30 0016 e4dc b571 7bbe c4e2 2a61 ...0.....q{...*a
0x0020: 8018 43e0 40fd 0000 0101 080a 889c 486d [EMAIL PROTECTED]
0x0030: 3840 68c0 c8eb 3b13 336a 63fb c4dc 7030 [EMAIL
PROTECTED];.3jc...p0
0x0040: d58a 2496 0156 c8ee 5f71 d4a1 5064 8122 ..$..V.._q..Pd."
0x0050: 9246 bcd5 74c5 a81a 3acb c294 00cb d615 .F..t...:.......
0x0060: 17b2 78a3 ..x.
000037 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 6801 win 65535
<nop,nop,timestamp 943745216 2291943533>
0x0000: 4510 0034 f57c 0000 4006 7605 0a01 0a30 E..4.|[EMAIL
PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2a61 b571 7bee .E*.......*a.q{.
0x0020: 8010 ffff efe9 0000 0101 080a 3840 68c0 [EMAIL PROTECTED]
0x0030: 889c 486d ..Hm
"Enter" (CRLF):
306. 451603 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4
(0x0800), length 114: 10.1.10.48.58588 > 208.69.42.188.22: P
720:768(48) ack 6801 win 65535 <nop,nop,timestamp 943748280 2291943533>
0x0000: 4510 0064 a16b 0000 4006 c9e6 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2a61 b571 7bee .E*.......*a.q{.
0x0020: 8018 ffff a1ab 0000 0101 080a 3840 74b8 [EMAIL PROTECTED]
0x0030: 889c 486d 1be8 f5f9 cd4f 1606 2bd0 298e ..Hm.....O..+.).
0x0040: 5f27 67eb 9ed8 5b4f aa53 949a 44a1 486e _'g...[O.S..D.Hn
0x0050: b062 297c 9165 f293 e578 6a9c f8f1 69b4 .b)|.e...xj...i.
0x0060: 2dcf 2bdc -.+.
037951 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 6801:6849(48) ack
768 win 17376 <nop,nop,timestamp 2291944146 943748280>
0x0000: 4520 0064 b76e 4000 3506 7ed3 d045 2abc [EMAIL PROTECTED]
0x0010: 0a01 0a30 0016 e4dc b571 7bee c4e2 2a91 ...0.....q{...*.
0x0020: 8018 43e0 646e 0000 0101 080a 889c 4ad2 ..C.dn........J.
0x0030: 3840 74b8 50b1 d9be 8377 bdf9 2fd6 7208 [EMAIL PROTECTED]/.r.
0x0040: 9ecb 9838 5044 cfea c455 1ba2 9dfe b0d5 ...8PD...U......
0x0050: 197d 4416 7b8c c4a5 1863 2ad1 c888 fda0 .}D.{....c*.....
0x0060: 22a8 db4a "..J
000036 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 6849 win 65535
<nop,nop,timestamp 943748280 2291944146>
0x0000: 4510 0034 3266 0000 4006 391c 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2a91 b571 7c1e .E*.......*..q|.
0x0020: 8010 ffff e12c 0000 0101 080a 3840 74b8 .....,[EMAIL
PROTECTED]
0x0030: 889c 4ad2 ..J.
000280 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 6849:6897(48) ack
768 win 17376 <nop,nop,timestamp 2291944146 943748280>
0x0000: 4520 0064 8093 4000 3506 b5ae d045 2abc [EMAIL PROTECTED]
0x0010: 0a01 0a30 0016 e4dc b571 7c1e c4e2 2a91 ...0.....q|...*.
0x0020: 8018 43e0 b7fd 0000 0101 080a 889c 4ad2 ..C...........J.
0x0030: 3840 74b8 4d69 e4a5 27ce 36db 8f83 973d [EMAIL
PROTECTED]'.6....=
0x0040: f098 e8f5 0cc0 05fb 5c6d 096c 01a0 598e ........\m.l..Y.
0x0050: 4fd6 f946 9430 be58 20ed 87ce b524 1502 O..F.0.X.....$..
0x0060: bb7c b645 .|.E
000023 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 6897 win 65535
<nop,nop,timestamp 943748280 2291944146>
0x0000: 4510 0034 0d58 0000 4006 5e2a 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2a91 b571 7c4e .E*.......*..q|N
0x0020: 8010 ffff e0fc 0000 0101 080a 3840 74b8 [EMAIL PROTECTED]
0x0030: 889c 4ad2 ..J.
000549 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 6897:6945(48) ack
768 win 17376 <nop,nop,timestamp 2291944146 943748280>
0x0000: 4520 0064 c52f 4000 3506 7112 d045 2abc E..d./@.5.q..E*.
0x0010: 0a01 0a30 0016 e4dc b571 7c4e c4e2 2a91 ...0.....q|N..*.
0x0020: 8018 43e0 d857 0000 0101 080a 889c 4ad2 ..C..W........J.
0x0030: 3840 74b8 2d52 bc81 db40 3992 6044 374e [EMAIL
PROTECTED]@9.`D7N
0x0040: 484b a182 07ad 7022 bc0e f7e2 cf5f ef27 HK....p"....._.'
0x0050: 0ed6 d5b0 4aa4 0622 d322 d4e9 cbcb 11fc ....J.."."......
0x0060: 1ffb 7f1f ....
000026 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 6945 win 65535
<nop,nop,timestamp 943748280 2291944146>
0x0000: 4510 0034 ad35 0000 4006 be4c 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2a91 b571 7c7e .E*.......*..q|~
0x0020: 8010 ffff e0cc 0000 0101 080a 3840 74b8 [EMAIL PROTECTED]
0x0030: 889c 4ad2 ..J.
Let's stop tcpdump(1) and restart it: how about "ls" again?
000000 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 114: 10.1.10.48.58588 > 208.69.42.188.22: P
3303156417:3303156465(48) ack 3044113678 win 65535 <nop,nop,timestamp
943753041 2291944639>
0x0000: 4510 0064 2272 0000 4006 48e0 0a01 0a30 E..d"[EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2ac1 b571 7d0e .E*.......*..q}.
0x0020: 8018 ffff 714f 0000 0101 080a 3840 8751 [EMAIL PROTECTED]
0x0030: 889c 4cbf 9531 d20e 7282 f34b 8d21 57db ..L..1..r..K.!W.
0x0040: 081d af0e e3f6 735a 475c 6fe8 4175 3e0a ......sZG\o.Au>.
0x0050: cd11 a634 3b45 289c a443 3deb b93c 2165 ...4;E(..C=..<!e
0x0060: 91f2 3cc7 ..<.
036378 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 1:49(48) ack 48 win
17376 <nop,nop,timestamp 2291945099 943753041>
0x0000: 4520 0064 194b 4000 3506 1cf7 d045 2abc [EMAIL PROTECTED]
0x0010: 0a01 0a30 0016 e4dc b571 7d0e c4e2 2af1 ...0.....q}...*.
0x0020: 8018 43e0 5ff0 0000 0101 080a 889c 4e8b ..C._.........N.
0x0030: 3840 8751 3dd1 669e ff43 4917 b269 2e0f [EMAIL PROTECTED]
0x0040: 66cb 768d 0171 75f5 406b aabd 6123 a797 [EMAIL PROTECTED]
0x0050: fe33 e7dd 5216 8ff6 0ee7 762d a5ee 7160 .3..R.....v-..q`
0x0060: 7e53 2cc5 ~S,.
000038 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 49 win 65535
<nop,nop,timestamp 943753041 2291945099>
0x0000: 4510 0034 6a05 0000 4006 017d 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2af1 b571 7d3e .E*.......*..q}>
0x0020: 8010 ffff c95a 0000 0101 080a 3840 8751 [EMAIL PROTECTED]
0x0030: 889c 4e8b ..N.
054880 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 114: 10.1.10.48.58588 > 208.69.42.188.22: P 48:96(48) ack 49
win 65535 <nop,nop,timestamp 943753042 2291945099>
0x0000: 4510 0064 932c 0000 4006 d825 0a01 0a30 E..d.,[EMAIL
PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2af1 b571 7d3e .E*.......*..q}>
0x0020: 8018 ffff 311f 0000 0101 080a 3840 8752 [EMAIL PROTECTED]
0x0030: 889c 4e8b 04d1 7596 e179 4ed4 3869 f43b ..N...u..yN.8i.;
0x0040: c3fc 354f f1e8 c2ab 7739 c631 2603 8c0b ..5O....w9.1&...
0x0050: 7165 161f c766 efd2 f504 8066 07b1 6008 qe...f.....f..`.
0x0060: 63af a3ba c...
038957 00:13:f7:21:cb:26 > 00:1b:63:ce:0e:d0, ethertype IPv4 (0x0800),
length 114: 208.69.42.188.22 > 10.1.10.48.58588: P 49:97(48) ack 96
win 17376 <nop,nop,timestamp 2291945099 943753042>
0x0000: 4520 0064 0e04 4000 3506 283e d045 2abc [EMAIL
PROTECTED](>.E*.
0x0010: 0a01 0a30 0016 e4dc b571 7d3e c4e2 2b21 ...0.....q}>..+!
0x0020: 8018 43e0 f305 0000 0101 080a 889c 4e8b ..C...........N.
0x0030: 3840 8752 ccd5 d54c b8d4 f7e5 7602 13b2 [EMAIL PROTECTED]
0x0040: ffa6 2594 499c c87f 8ec9 0247 0f2b 0b96 ..%.I......G.+..
0x0050: 7271 aa30 eb87 a179 e480 501c a53a 0a97 rq.0...y..P..:..
0x0060: 3fbf 047f ?...
000042 00:1b:63:ce:0e:d0 > 00:13:f7:21:cb:26, ethertype IPv4 (0x0800),
length 66: 10.1.10.48.58588 > 208.69.42.188.22: . ack 97 win 65535
<nop,nop,timestamp 943753042 2291945099>
0x0000: 4510 0034 a165 0000 4006 ca1c 0a01 0a30 [EMAIL PROTECTED]
0x0010: d045 2abc e4dc 0016 c4e2 2b21 b571 7d6e .E*.......+!.q}n
0x0020: 8010 ffff c8f9 0000 0101 080a 3840 8752 [EMAIL PROTECTED]
0x0030: 889c 4e8b ..N.
